RASIMENE
Blog
Passwords·March 20, 2026·6 min read

A strong password is useless if your email is compromised.

Email is the master key to your digital life. How to protect it properly — without going paranoid.

ME
Mohamed ESSID
Founder — Trasimène

Email is the master key

Almost every online service offers account recovery via email: 'Forgot your password?'. Whoever controls your email address therefore potentially controls your Amazon account, your banking app, your social networks, your cloud storage, your Apple ID or Google account.

An attacker who accesses your Gmail or Outlook can trigger a password reset on any service linked to it — without knowing a single one of your passwords. The strength of your Gmail password matters infinitely more than the strength of your Spotify password.

This is what security professionals call the 'weakest link': attackers don't target the best-protected service — they target the least-protected service that can reach the others.

Common attacks on email accounts

Four attack vectors account for the vast majority of email compromises.

Targeted phishing is the most frequent: an email imitating Google, Microsoft or Apple invites you to sign back in. The phishing page captures your credentials in real time. Credential stuffing exploits databases of passwords stolen from other services (Have I Been Pwned lists over 15 billion exposed accounts) — if you reuse the same password, attackers automatically try it on your email. SIM swapping hijacks your phone number from your carrier to intercept verification texts. Brute force targets accounts without 2FA that use simple passwords.

How to protect your email

Five concrete actions, ranked by impact:

  • Enable two-factor authentication (2FA) — preferably via an authenticator app (Google Authenticator, Authy, Aegis) rather than SMS, which is vulnerable to SIM swapping.
  • Use a unique, long password (20+ characters) generated by a password manager (Bitwarden, 1Password) — never reuse it elsewhere.
  • Check active sessions regularly: in Gmail, click 'Account activity' at the bottom of the page to view and close any suspicious connection.
  • Enable login alerts for new devices — Gmail and Outlook send an email or notification for every new sign-in.
  • Avoid using your main email address as a login on unfamiliar sites — use an alias address (SimpleLogin, Apple Hide My Email).
SMS-based 2FA is better than nothing but remains vulnerable to SIM swapping. Prefer an authenticator app (Google Authenticator, Authy) or a hardware key (YubiKey).

Digital security is a chain. Its weakest link is often email, not the service you're trying to protect. Take five minutes today to enable 2FA on your main email account — it's the single action with the highest protection-to-effort ratio in personal digital security.

Trasimène — Mobile security

Check the security of your account

Download Trasimène →
Back to blog